CVE-2026-1680 in Edgemo
Summary
by MITRE • 01/30/2026
Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-1680 represents a critical access control flaw within the WCF endpoint implementation of Edgemo's Local Admin Service version 1.2.7.23180, which is now operated by Danoffice IT. This issue manifests as an improper access control condition that fundamentally undermines the security model of the local administrative service. The vulnerability specifically affects Windows environments where the LocalAdminService.exe process is running, creating a pathway for local attackers to bypass established security boundaries that should prevent unauthorized privilege escalation. The flaw exists in the named pipe communication mechanism that serves as the primary interface for the service, where the access control validation is insufficient to properly verify client credentials or group memberships before granting administrative privileges.
The technical root cause of this vulnerability lies in the design of the WCF endpoint within the LocalAdminService.exe process, which fails to properly enforce authentication and authorization checks when processing requests through the named pipe interface. The service appears to rely on client-side group membership validation that can be easily bypassed through direct communication with the named pipe endpoint. This improper access control implementation allows any local user to establish a connection to the LocalAdminService.exe named pipe and execute administrative commands without the proper authorization checks that should validate whether the connecting user possesses the necessary privileges or belongs to appropriate administrative groups. The vulnerability operates at the system level where the service process runs with elevated privileges, making the potential impact of exploitation particularly severe.
The operational impact of this vulnerability is substantial as it enables local privilege escalation from standard user level to local administrator privileges without requiring any additional exploitation techniques or prerequisites. An attacker who gains local access to a system running this service can directly communicate with the named pipe endpoint and execute administrative operations that should normally be restricted to authorized administrators only. This creates a persistent backdoor that can be exploited repeatedly without detection, as the attack vector does not require network connectivity or complex exploitation chains. The vulnerability affects systems where the Local Admin Service is installed and running, potentially compromising multiple systems within an organization where this service is deployed. The impact extends beyond individual system compromise to potentially enable lateral movement and further attacks within the network perimeter, as administrative privileges provide access to system resources, user accounts, and sensitive data that would otherwise be protected.
Mitigation strategies for CVE-2026-1680 should focus on immediate remediation through software updates or patches provided by Danoffice IT, as this represents a vendor-specific vulnerability requiring official resolution. Organizations should also implement network segmentation and access control measures to limit local user access to systems running this service, while monitoring for unauthorized named pipe connections to the LocalAdminService.exe endpoint. The vulnerability aligns with CWE-284, which specifically addresses improper access control issues, and could potentially be mapped to ATT&CK technique T1068, which covers local privilege escalation through service misconfigurations. Additionally, system administrators should consider disabling or removing the Local Admin Service if it is not essential for business operations, and implement proper logging and monitoring of named pipe access to detect potential exploitation attempts. The recommended approach includes conducting comprehensive vulnerability assessments across all systems that may be running the affected service and establishing baseline security configurations that prevent unnecessary administrative service exposure.